Manage permissions (ACLs)
Access rules let you precisely define what a particular user or device is permitted to access on your Tailscale network (known as a tailnet). Tailscale manages access rules for your network in the tailnet policy file using ACL syntax. Edit your tailnet’s access rules from the Access Controls page of the admin console.
Network access control lists (ACLs) define which devices can connect to which other devices on the tailnet. ACLs are:
- Default deny, so that Tailscale will prevent communication between devices where there is no explicitly defined access rule in the tailnet policy file.
- Directional, so that a source can connect to a destination, but not vice versa (unless also specified).
- Locally enforced, so that a device enforces incoming connections based on the set of access rules distributed to all devices in your network. That means that enforcement of the rules happens on each device directly, without further involvement from Tailscale’s coordination server.
ACLs control what connections can be made on the Tailscale network. They do not affect what a device can or cannot access on its own local network.
To learn more about Tailscale’s approach to access control in general, read our blog post on the history of access control systems, and why we designed Tailscale’s access rules the way we did.
When you first create your tailnet, the default tailnet policy file allows all devices within the tailnet to communicate with one another, in order to get started. You can modify your policy file to fit your organization’s needs.
See sample ACLs for examples of common policies.
|On all plans
|On the Personal, Premium, and Enterprise plans
|Access rules for...
|Access rules specifying...
|ACL sections for...